Subscribe

Leave Blank:Don't Change:

Your email:

Reader Offer

Disclaimer

This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

I reported earlier this week on the outcome of the first case of this type to reach the Tribunal. Here is my analysis of the key points.

Factual background

Central London Community Healthcare NHS Trust v IC (EA/2012/00111) concerned the first monetary penalty notice (MPN) to be appealed to the First-Tier Tribunal. The Trust’s appeal has been dismissed by the Tribunal (Professor Angel, Rosalind Tatam and Paul Taylor). The decision can be accessed here: Central London NHS Trust v IC EA20120111.

The background is that the Trust had, on some 45 occasions, faxed a list of palliative care in-patients to the wrong fax number (namely to that of a member of the public who notified the Trust and said he had destroyed the faxes – but he was never traced and destruction could not be confirmed). This was sensitive personal data: it included names as well as information about patients’ medical diagnoses, treatment and domestic situations.

The MPN

The IC found that the Trust had breached the seventh data protection principle, which requires that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The IC decided that the three preconditions for the exercise of his discretion to issue a MPN under section 55A of the Data Protection Act 1998 had been met here. These conditions are (i) there was a serious contravention of the DPA, (ii) this contravention was of a kind likely to cause substantial damage or substantial distress, and (iii) the contravention was either deliberate, or the data controller knew or ought to have known that there was a serious risk that a contravention would occur and would be of a kind likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it happening.

The IC is empowered to impose MPNs of up to £500,000. In this case, the amount was £90,000.

The Tribunal’s jurisdiction

On the Trust’s appeal, one of the first issues for the Tribunal was the extent of its statutory powers under section 49 of the DPA (which mirrors section 58 of FOIA): the Tribunal agreed with the Trust that, as with appeals under FOIA, the Tribunal had jurisdiction to consider the matter de novo; it was not restricted to a review along public law lines. It also found that it could either allow the appeal, or substitute an alternative MPN (including one imposing a higher penalty than that imposed by the IC), or substitute an enforcement notice instead (paragraphs 36-39).

Alleged indication that no MPN would be issued

The only point of evidence in dispute was the Trust’s contention that the IC’s enforcement team had indicated during the investigation that no MPN would be issued. The Tribunal found that the Commissioner’s enforcement officer “did not give any serious indication or assurance that there would be no fine or MPN in this case which in any way excluded the IC from deciding to issue an MPN” (paragraph 46).

The IC’s decision-making process

The decision to impose a penalty is taken by a Deputy Commissioner, in consultation with an internal working party comprising various senior managers within the ICO and one of the ICO’s enforcement lawyers. Having decided that an MPN should be issued, the ICO determined the amount by reference to an internal, unpublished framework as follows:

(i) Serious = £40,000 to £100,000

(ii) Very serious = more than £100,000 but less than £250,000

(iii) Most serious = more than £250,000 up to the maximum of £500,000.

It decided that this case was in the “serious” category. Its methodology was then to take the midpoint of that band and consider any aggravating or mitigating circumstances.

As required by the DPA, the ICO then issued the Trust with a Notice of Intent to issue a MPN to the value of £90,000. The Trust accepted that a financial penalty was warranted, but disputed the amount, making submissions on mitigating factors. The ICO maintained its position and issued the MPN.

‘Assessments’ and the statutory bar under section 55(3A)

By section 55(3A) of the DPA, the IC may not use anything which came to his attention pursuant to his carrying out an ‘assessment’ under section 51(7) when deciding on whether an MPN can be imposed. The Trust argued that the IC’s investigation of its voluntarily-reported breach constituted an ‘assessment’.

The Tribunal considered the rival submissions on the legislative intent behind the bar imposed by section 55(3A) (though on this point it rejected the Trust’s invitation to take ministerial statements into account, on Pepper v Hart principles) and on the range of powers open to the IC. It preferred those of the IC: section 51(7) is directed at educating and advising data controllers, on the basis of a consensual engagement, with a view to avoiding future breaches of the DPA. The aim of the statutory bar provided for under section 55A(3A) is to prevent the IC from using information he obtains via the educational/advisory process provided for under section 51(7) to impose an MPN on a data controller. This case did not involve such an educational/advisory process. There was no assessment under section 51(7) (paragraphs 87-91).

The IC’s adherence to its own policy

The Trust did not contend that the IC failed to apply the statutory guidance on MPNs. It did, however, argue that it failed to consider or adhere to its own non-statutory policy on the reporting of breaches, which said that “the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public”.

Again, the Tribunal found for the IC: the statutory guidance was what really mattered, but in any event the IC had not departed from its own policies (paragraphs 102-103).

The IC’s exercising of its discretion

Where the conditions for the issuing of an MPN are met, the ICO still has a discretion as to whether or not to issue one. The Trust argued that the ICO had failed to exercise its discretion lawfully: there was no evidence of it taking into account relevant considerations.

The particular considerations relied upon by the Trust were (i) the ICO failed to take proper account of the overriding policy objective to encourage cooperative working between it and data controllers and failed to give sufficient credit for the Trust’s transparency and its co-operative stance, (ii) the effect of the ICO’s policy to impose high profile fines on data controllers who voluntarily report incidents and cooperate with its investigations is to discourage other controllers from being open and transparent, and (iii) the ICO’s approach to cases of this nature creates an unfair and unsustainable distinction between those data controllers who, when suspected of being in breach of the DPA, are required to submit to assessment notices or are requested to undergo consensual audits and those, like the Trust in this case, who voluntarily submit themselves to regulatory scrutiny. The Trust argued that the ICO had failed to think about these points.

The Tribunal rejected these criticisms as misconceived (paragraph 122). While the ICO’s process could have been more comprehensible, it could not be said to have overlooked relevant matters.

Consideration of mitigating factors

Next, the Trust contended that the ICO had failed properly to consider the mitigating factors on which it made submissions. Again, the Tribunal disagreed. The ICO had not erred in this way. In any event, the Tribunal did not seem to find the mitigating factors to be particularly forceful. It said:

“The fact that there was a voluntary notification cannot be given much weight when the Trust was under, in effect, an obligation to report (both to the ICO and to the NHS regionally). In any case it was reported over a month after the breach was discovered. Co-operation was the least that could be expected for such a serious breach. By the time the Trust informed the patients over three quarters were dead. There is still no absolute guarantee the sensitive information has been destroyed. The Trust’s mitigating features are therefore features to which we find the IC could not give much weight. In any case they are almost all post facto events and nothing about the wrongdoing” (paragraph 128).

The Trust’s criticisms of the IC’s decision on the amount of the MPN

The Trust said that the IC never explained its methodology for calculating the amount of the MPN – the three categories of seriousness, for example, were never mentioned, nor was the means of calculation. Once again, the Tribunal did not agree. It considered that the IC had made the principles behind its approach clear to the Trust prior to issuing the MPN.

Notable the Tribunal observed that “We find it interesting that the contravention is only categorised as “serious” and not “very serious” as it seems to us on the facts of this case the IC could have taken a more penal approach to the amount in question” (paragraph 138) and concluded that “We are satisfied that the ICO has reached a figure within a range of reasonable figures it could have considered” (paragraph 139). It also rejected the submission that the IC failed to take the mitigating factors into account when deciding on the amount of the MPN (paragraph 148).

Discount for early payment

The final issue considered by the Tribunal is of significant importance. MPNs provide for a discount (here: 20%) for early payment. If a data controller appeals an MPN and loses, can it still claim the discount? The Trust argued that, by refusing to keep the discount offer open pending the outcome of the appeal, the IC was penalising it for exercising its legal right to have its cased tested by a Tribunal. The Tribunal disagreed: “The purpose of the scheme would appear to us to encourage early payment and also to ensure there is an early resolution to the matter. There is no provision for a without prejudice payment” (paragraph 153). The IC did not err in refusing to keep the discount offer alive, and the Tribunal refused to restore that offer.

Data controllers who contravene the DPA in a serious or potentially serious way should take note of this last point, and indeed of the Tribunal’s first excursion into the new MPN appeal territory.

First-Tier Tribunal decisions are of course not binding on other First-Tier Tribunals. There will be more appeals against MPNs later this year. Panopticon will report on whether the principles from the Central London NHS Trust case are borne out by future decisions. For now, this decision is the best data controllers have to go on.

Tim Pitt-Payne QC appeared for the Trust. Anya Proops appeared for the IC.

One of the most notable features of the information rights landscape in 2012 was the issuing by the Information Commissioner of a number of Monetary Penalty Notices for breaches of (primarily, but not exclusively) the Data Protection Act 1998.

The First-Tier Tribunal has today given its decision in the first appeal against such a notice. Central London Community Healthcare NHS Trust v IC (EA/2012/00111) saw the Trust appeal against a £90,000 MPN for the Trust’s repeated faxing of sensitive patient data to the wrong fax number (see Panopticon’s earlier reports here and here).

A summary of the key points from this landmark decision will follow as soon as possible. For now, Panopticon can confirm that the Trust’s appeal has been dismissed.

I blogged earlier (see below) about the sorts of information law issues that arise routinely for local authorities and NHS Trusts. On a more unusual note, it is worth noting that the First-Tier Tribunal is due to hear appeals against notices other than the usual decision notices issued by the Information Commissioner under s. 50 of FOIA.

The first ever appeal against a monetary penalty notice issued for breaches of the Data Protection Act 1998 will be heard on 3-5 December of this year: Central London Community Healthcare NHS Trust v IC (EA/2012/0111). The Trust was fined £90,000 for faxing patient lists containing sensitive personal data to the wrong number. The Commissioner’s press release is available here.

Secondly, Southampton City Council is appealing against a decision by the Commissioner that a licensing policy under which all licensed taxis must use surveillance equipment consisting of CCTV and audio-recording facilities, both of which must operate whenever the vehicle is in motion, breached the first data protection principle. The Commissioner issued an enforcement notice against the Council (his press release is here).

The appeals will feature my fellow Panopticonners Anya Proops (for the Commissioner in both cases) and Tim Pitt-Payne QC (for the appellants in both cases).

The Data Protection Act 1998 is increasingly being deployed as part of a claimant’s arsenal in defamation claims. The Information Commissioner has historically resisted policing DPA breaches in the context of allegedly defamatory expressions of opinion by one person about another.

Courts, on the other hand, have accepted that expressions of opinion about individuals are (as the definition at section 1 of the DPA makes clear) personal data, and that the DPA can therefore bite. This has arisen, for example, in the context of Norwich Pharmacal claims seeking the disclosure of the identities of users posting allegedly defamatory material. See for example Applause Store Productions Ltd and another v Raphael [2008] EWHC 1781 (QB), on which Anya posted here.

The use of the DPA in defamation claims (or cases which, though brought under the DPA, look in substance like defamation claims) has, it seems, gathered momentum. In late 2011, Tugendhadt J gave judgment in a case about the ‘solicitors from hell’ website: The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB), on which Rachel Kamm posted here.

Last month, the DPA was again successfully relied upon as founding an arguable defamation-type claim. Desmond v Foreman, Shenton, Elliott, Cheshire West and Cheshire Council and Cheshire East Council [2012] EWHC 1900 (QB), involved a cover teacher who was suspended and ultimately dismissed following allegations that he had conducted himself in an inappropriate sexual manner towards a sixth-form student. The case involved a number of communications: meetings to discuss the allegations; requests for information from the police and previous employers; referrals to the Independent Safeguarding Authority, and queries about his home situation made by an officer of one local authority to an officer at another.

The claimant contended that a number of these communications implied that he was actually guilty of and had actually committed various serious offences (including rape, of which he had been accused in 2001 but exonerated through court proceedings). He brought a defamation claim, also contending that the allegedly defamatory statements infringed his rights under Article 8 and the DPA (in particular, breaches of data protection principles 1, 2, 3, 4 and 6).

The defendants – two local authorities, a headmaster and two local authority officers – sought summary judgment. They said the communications complained of were no more than expressions of concern that matters needed investigating, they asserted qualified privilege (based on the performance of their public duties) and justification.

The judge – as in Kordowski, Tugendhadt J – dismissed the application for summary judgment in part, finding that the claimant’s case under Article 8 and the DPA had a real prospect of success in relation to some of the communications complained of.

The judgment is of interest not only as an illustration of the difficulties of lawfully sharing sensitive information (including opinions) in the context of safeguarding children. It also illustrates that the DPA is increasingly – and realistically – being pressed into the service of types of complaint traditionally brought under other heads. The DPA and Article 8 are, of course, long-standing and natural complements to each other. Defamation, however, is slightly more alien territory for the DPA. Copyright infringement (on which, see a post of mine from last year here) is another area to which the DPA is increasingly relevant.

What, it is sometimes wondered, does a claim under the DPA add which is not already covered by claims under Article 8, defamation and so on? After all, as the defendants in Desmond argued, if someone is aggrieved at DPA breaches, then he has another remedy available, namely a complaint to the ICO. Interestingly, Tugendhadt J’s judgment in Desmond reverses this: what, he asked, would an Article 8 or defamation claim add to the DPA claim – at least with respect to one of the communications complained of? In particular, he was concerned with how best to deal with the claim that information about the 2001 rape allegation had been processed (retained, communicated) without reference to the judgments exonerating the claimant.

This last point about fair and accurate records of serious allegations is important: see an older post of mine here.

For the moment, back to Desmond and how best to deal with legal claims about this sort of complaint. Tugendhadt J said this:

“81. How and why it is that the references to the 2001 incident came to be recorded, but recorded without mentioning the public judgments of the court containing the police’s explanation for not charging the Claimant, is a question for which the proceedings under the DPA may provide the most appropriate form of investigation (as the Court of Appeal suggested in para 51 of their judgment). It is for consideration whether claims under the HRA or in defamation would add any benefit to the Claimant over and above a claim under the DPA. And as noted above, a claim under the DPA appears to raise no issues of limitation.

82. I invited the parties to consider why the Court should not direct that the claim under the DPA proceed first and separately from the other two claims, and give directions as to the filing of evidence (or agreed statements of facts) so that the matter could be determined in accordance with the overriding objective, and in particular with the objective of allotting to the case an appropriate share of the court’s resources.”

This demonstrates that, at least in some circumstances, the DPA may appropriately play the lead role rather than a supporting one in a complaint about unjustifiable and damaging communications about individuals. It looks as if the DPA will continue to flex muscles it did not even know it had.

Following the emergence earlier this year that Department for Education officials had, apparently routinely, used personal email accounts for the conducting of official business, the ICO has considered this issue. It has today issued guidance that many FOI officers and lawyers will find notable, to say the least.

The key points:

FOIA applies to official information held in private email accounts when held on behalf of the public authority. So too text messages. This much is obvious from the definition of ‘held’ in s. 3 of FOIA. The question is exactly what this means, and what to do about it.

There will be occasions on which, having searched its own systems, the public authority will be expected to ask employees (or contractors etc) to search their personal email accounts/text messages for information described in a FOIA request.

The ICO expects such occasions to be ‘rare’. I think this means that the ICO will not expect the public authority to do so simply because a requester asks it to; something more will be required.

What is that ‘something more’? The ICO recommends public authorities look out for ‘relevant factors’ which may trigger the duty to ask.

These factors include the nature, wording and subject matter of the request.

They also include “how the issues to which the request relates have been handled within the public authority”. This may be another way of asking: is the public authority aware that this sort of thing has been going on?

Another relevant factor is “by whom and to whom the information was sent and in what capacity, e.g. public servant or political party member”. This is often a blurred line, one imagines. Not sure how this could be scrutinised (other than hacking into private systems, which is not nice, not fashionable and not legal).

Public authorities should establish procedures for dealing with such situations.

They should keep records of any private email account/text message searches they have requested.

Public authorities should remind staff that, where a request for information to which the requester would be entitled has been made, it is a criminal offence to erase or conceal that information with the intention of preventing disclosure (see s. 77 of FOIA).

‘Concealment’ would include denying that anything of an ‘official capacity’ nature is (or, at the time of the request, was) in one’s private email inbox or text message folder.

Public authorities should tell their employees not to use private channels for official business in the first place.

Panopticon understands from some of its friends in the media that requests aiming at exactly this sort of information were fired off this morning (or earlier this week, in anticipation of the new ICO line).

Meanwhile, a decision on the complaint against the Department for Education is in the pipeline.

Panopticon will be keeping its Benthamite eye on how these matters unfold.

In my recent post on Sittampalam v IC and BBC(EA/2010/0141), I explained that the Tribunal took the view that the Commissioner does have a discretion to decline to order disclosure, even where information was incorrectly withheld at the time, due to subsequent developments such as legislative changes, inquiries or court proceedings and so on. In so doing, that Tribunal differed from the decision in Gaskell v IC (EA/2010/0090), where it was held that no such discretion existed.

The Upper Tribunal (UT Judge Wikeley) has this week allowed an appeal against the Gaskell decision, meaning that the Sittampalam position has now been confirmed as correct. The issue is put succinctly at paragraph 10 of UT decision GIA 3016 2010:

“The reasoning in the Commissioner’s Decision Notice can be summarized simply. Section 44(1)(a) of FOIA provides an absolute exemption where disclosure by the public authority holding it “is prohibited by or under any enactment”. Section 18(1) of CRCA [Commissioners for Revenue and Customs Act] 2005 provides that “Revenue and Customs officials may not disclose information which is held by the Revenue and Customs in connection with a function of the Revenue and Customs.” Section 18(1) did not apply to the Rent Service at the time that Mrs Gaskell made her original request. However, by the time of his Decision Notice, Rent Service staff had become HMRC officials. If the Commissioner were to order disclosure, those staff would be contravening section 18 of CRCA 2005.”

The First-Tier Tribunal found that the Commissioner has no discretion to decline to order disclosure in such circumstances (and that if he did have such a discretion, he exercised it incorrectly in this instance). In contrast, however, the UT concluded as follows (paragraph 31; my emphases):

“In conclusion, I agree with both counsel [11KBW’s Karen Steyn and Ben Hooper] that the requirement under section 50(4) that the decision notice should specify the steps which must be taken by the public authority does not amount to a mandatory obligation on the Commissioner to require steps to be taken to comply with the requirements of sections 1(1), 11 or 17 in every case, although that consequence will usually follow, save for exceptional cases such as the present one. As a matter of law the mandatory element of section 50(4) is that, if the Commissioner considers that the public authority ought to take any steps to comply with those statutory requirements, then he must specify them in the decision notice, along with the defined period within which they must be undertaken.”

The UT went on to decide that the Commissioner had exercised his discretion correctly in this case.

UT Judge Wikeley’s judgment also includes both a Jane Austenism and the first citation of the Information Law Reports (or Info LRs), launched by Justis and 11KBW this month: Office of Government Commerce v Information Commissioner [2008] EWHC 737 (Admin); [2010] QB 98; [2011] 1 Info LR 743.

In Sittampalam v IC and BBC (EA/2010/0141), the Tribunal has considered a number of important questions. Framed generally (i.e. outside the specific factual context of this case), they are as follows. I add the “short answer” to the questions straight away, and then give some detailed analysis of each in turn below:

(1) Can a public authority rely on the cost ‘exemption’ under section 12 FOIA at a late stage as of right? Answer: no.

(2) If not, does the Commissioner have a discretion to allow late reliance on section 12? Answer: yes.

(3) If he does, can he take into account developments after the time at which the request was refused – and in particular, can he decide that, due to those later developments, disclosure should not be ordered, even though the information should have been disclosed at the time when the request was handled? Answer: yes.

(4) When allowing late reliance on section 12, can the Commissioner require the public authority to answer a disaggregated or narrowed version of the original request, which might bring it within the cost limit? Answer: yes.

Can section 12 be relied on as of right?

First, can a public authority claim late reliance on the cost ‘exemption’ under section 12 FOIA as of right? To put it another way, is the law on late reliance on section 12 the same as the law on late reliance on the exemptions under Part II of FOIA (which may be relied upon late as of right).

The Tribunal’s answer was “no”. This was in light of APPGER (explained in my post here), where the Upper Tribunal explained that section 12 was different from other exemptions. Section 12 is about saving public expenditure; if the requested information has already been retrieved, the expenditure has already been incurred, so there can be no saving and thus no reliance on section 12 from that point onwards.

In this case, the Tribunal concluded that (see paragraph 48):

“The proper time for raising reliance on s12 is the time required by section 17(5), i.e. promptly and in any event not later than the twentieth working day after receipt of the request. Later reliance – at least up to the conclusion of an internal review – is not a matter of right but is to be controlled by reference to the scheme and purposes of the Act.”

Does the Commissioner have a discretion to allow late reliance on section 12?

Subject to the APPGER qualifier – namely that the section 12 cost-saving exemption cannot be claimed when the cost has already been incurred – the Tribunal found that the answer to this question is “yes”.

When might late reliance on section 12 be claimed? One example would be where, because of the nature of the requested information, a public authority is able to rely on a Part II exemption without having to locate or retrieve the requested information. If the Part II exemption falls away (for example, if the Commissioner decides that it is inapplicable), the authority may then need to locate and retrieve the information, and it may be able to raise section 12 for the first time at that stage.

Can the Commissioner take into account developments after the refusal of the request?

The next question considers this scenario. The Commissioner decides that the public authority should have disclosed the requested information at the relevant time. He considers, however, that – because of events subsequent to the time at which the request was refused – disclosure would now be inappropriate. Is this allowed under FOIA?

Another way of looking at this is to ask whether the Commissioner has a discretion to order that “no steps be taken”, notwithstanding a public authority’s wrongful refusal of a request. To understand this issue, one must consider the wording of FOIA itself. Section 50(4) provides that, where a public authority has failed to comply with section 1 (disclosure duties and so on) or sections 11-17 (procedure for refusing a request), then “the decision notice must specify the steps which must be taken by the authority for complying with the requirement and the period within which they must be taken” (my emphasis). Where the Commissioner has found such a failure, this question arises: does section 50(4) mean that he must always direct that steps be taken, or does it simply mean he must stipulate what steps if any are to be taken?

In Gaskell v IC (EA/2010/0090), the Tribunal decided that the Commissioner has no such discretion: the Commissioner must always make a “steps direction”, and he cannot allow events subsequent to the relevant time to determine whether disclosure is ordered or not. The concern of the Tribunal in Gaskell was that such a discretion would give public authorities two bites of the cherry: if their refusal of the request failed (when judged by reference to the time of the handling of the request), they could invite the Commissioner to use his discretion to decline to order disclosure anyway, because of subsequent developments.

In Sittampalam, the Tribunal has taken a different view. It found that the Commissioner does have this discretion to consider subsequent events and, if appropriate, decline to order disclosure. Such cases will, however, be “exceptional” (see paragraph 60). This Tribunal took the view that the Tribunal in Gaskell had not been presented with scenarios illustrating the pitfalls of the “no discretion” position (see paragraphs 58-60). In support of its conclusion about this discretion, the Tribunal said as follows (paragraphs 53-54):

“Stanley Burnton J (as he then was) in Office of Government Commerce v IC [2008] EWHC 774 (Admin); [2010] QB 98; at [98] regarded it as arguable that the Commissioner’s decision as to the steps required to be taken by the authority might take account of subsequent changes of circumstances. In our view, that is not merely arguable but is correct, and flows from the nature of the Commissioner’s jurisdiction and its subject matter, and from the wording of the Act.

The Commissioner, when acting under section 50, is not merely deciding whether an information requester was or was not entitled to information at the time when the request was dealt with. He must also decide what is to be done. The Commissioner has a role both as guardian of the public interest in the appropriate disclosure of information held by public authorities and as a guardian of data protection rights. In our view the statute leaves to him a measure of discretion over what is the appropriate enforcement of information rights in a particular case. It would be perverse, in our view, if he were wholly debarred from taking into account fresh circumstances, not in existence at the date when the request was originally dealt with.”

Can the Commissioner require a public authority to answer a reformulated or narrowed request?

The Tribunal went on to consider whether, when allowing late reliance on section 12, the Commissioner can do so subject to the public authority handling the request in a prescribed way. It considered two possibilities.

First, is the Commissioner is entitled to allow the late reliance on terms as to disaggregation of the request, so as to prevent reliance on section 12 in relation to information that can be provided under the cost limit? The Tribunal concluded, albeit “with some hesitation”, that this is permissible (see paragraph 73):

“If during the Commissioner’s investigation the public authority is to be allowed to change its response to the request with retrospective effect, so as to raise a defence which should have been raised earlier, it does not seem unreasonable or out of line with the statutory scheme to say that the requester might also in a suitable case be allowed to refine or clarify the terms of the request retrospectively. In effect, the Commissioner would say to the public authority: ‘I will permit you to raise section 12 late but, for fairness’ sake, only on terms that you agree to permit the requester to narrow his request and that you agree to treat the narrowed request as validly made.’”

Secondly, is the Commissioner entitled to prescribe the steps to be taken so as to put the requester in the position that he would have been in if the public authority had complied with its duty to advise and assist under section 16. Compliance might enabled the requester to resubmit his request in a narrower form to which section 12 would not have been a defence.

The Tribunal again found that this was permissible, this time “with greater confidence”. It considered the case law on the relationship between sections 12 and 16. It agreed with Roberts v IC (EA/2008/0050) that entitlement to rely on section 12 is not conditional upon compliance with section16. It took the view, however, that “compliance with section 16 may be taken into account where the question is one not of entitlement but of discretion. If this is correct, it should enable the Commissioner to give greater practical effect to s16 than hitherto”. In other words, whenever late reliance on section 12 is claimed, public authorities should pay extra attention to their duties under section 16.

The amendments give the Information Commissioner new powers to serve a monetary penalty on an organisation when very serious breaches of the 2003 Regulations occur and to investigate breaches of the 2003 Regulations by obtaining information from certain third party organisations.

They also introduce an additional requirement where a website uses ‘cookies’, which are small files of letters and numbers downloaded on to a device when the user accesses certain websites, which allow the website to recognise the device. Except where a ‘cookie’ is strictly necessary, websites will now have to obtain the consent of the user or subscriber before ‘cookies’ can be placed on machines. The Information Commissioner has published guidance on the change to the rules. Organisations have 12 months from 26 May 2011 to make sure they comply with the new rules.

The Information Commissioner has issued this statement about how he intends to approach enforcing the new rules and using the new powers.

The absolute exemption at s. 44 FOIA applies where the disclosure of the requested information is prohibited under any enactment. Many statutes contain such prohibitions, often subject to specified exceptions or tests. If a public authority applies that statutory regime incorrectly or in a “Wednesbury unreasonable” way – that is, if it acts unlawfully in a public law sense – then the precondition for reliance on s. 44 FOIA falls away.

This question arises: does FOIA presume “procedural inclusivity” (i.e. the Commissioner and/or tribunal have jurisdiction to consider such public law questions) or “procedural exclusivity” (i.e. public law is a matter for the courts only; requesters must thus seek judicial review)?

In Morrissey v IC and Ofcom (EA/2009/0067), the first-tier tribunal followed the approach taken in Hoyte v Civil Aviation Authority (EA/2007/0101) in supporting inclusivity. In other words, it considered that the Commissioner and tribunal do have jurisdiction to conduct “reasonableness reviews”.

In Morrissey, the tribunal asked itself whether Ofcom had acted reasonably in withholding information under s. 44 FOIA in reliance on s. 393(2)(a) of the Communications Act 2003. Its answer was ‘yes’. Ofcom nonetheless appealed, on the grounds that “reasonableness reviews” are beyond the statutory powers of the Commissioner and tribunal.

The Upper Tribunal has agreed with Ofcom, and endorsed procedural exclusivity: see GIA/605/2010. (Its decision was not concerned with the ultimate outcome of the case – which concerned a request for information about Ofcom’s approach to equal opportunities – but simply with this point of principle).

Its reasoning was as follows. Disparate caselaw illustrates a presumption that lower courts and tribunals can resolve public law prerequisites to their “core business” – but caselaw does not show any presumption that regulators can do so. Under FOIA, the tribunal’s jurisdiction is parasitic upon that of the regulator, the Commissioner. The Commissioner’s jurisdiction is to decide whether a request “has been dealt with in accordance with the requirements of Part I [of FOIA]” (s. 50(1) FOIA). (The tribunal’s jurisdiction is governed by s. 58 FOIA: this says it must determine whether the decision notice was “in accordance with the law” – rather than “Part I of FOIA”. It does not appear that the Upper Tribunal considered anything to turn on this difference).

As to the construction of the particular provision in question, the Upper Tribunal found that the purpose of s. 393 of the Communications Act 2003 is to reassure commercial broadcasters that Ofcom can only lawfully disclose their information if it considers it right to do so for one of the purposes in s. 393(2).

The Upper Tribunal was clear as to the broader implications of its decision: “it must be for the public authority initially to determine whether the information requested is exempt “by virtue of” s. 44” (paragraph 54).

It concluded, however, that judicial review is not the only alternative in these circumstances: the first-tier tribunal may not have jurisdiction over such public law points, but the Upper Tribunal does – provided it has the blessing of the administrative court in any given case.

The Tribunal’s recent decision in Makin v IC (EA/2010/0080 & 81) looks at the application of s. 35 FOIA, the qualified exemption for the formulation and development of government policy, in circumstances where the policy in question was effected through parliamentary legislation. In particular, the requested information concerned the proposal in what was then the Legal Services Bill to continue the exemption of government lawyers from professional regulation, including the requirement to pay for a practising certificate.

The Tribunal considered the application of subsections 1(a), (2) and (4) of s. 35.

It had no hesitation in confirming that s. 35(1)(a) was engaged, relying on the well-established breadth of terms such as “relates to”. For the purposes of s. 35(2), the Tribunal found that no “statistical information” (a working definition of which was taken from the Ministry of Justice guidance of May 2008) was involved.

As regards s. 35(4) – the subsection concerning factual information used to inform decision-making – the Tribunal found that this subsection “should apply where it was relatively obvious that what was being provided was factual information for the purpose of informing the decision–taker on the background”. In adopting this approach, it applied the guidance from the leading case of DWP v Information Commission (EA/2006/0040), where the Tribunal held that, on the spectrum between pure advice and pure fact, “where the information is firstly, so inextricably connected to the deliberative material that it is difficult to distinguish and secondly, where the vast weight of material is non-factual information, we consider Parliament did not intend the sub-section to apply”.

An important point from this case is the Tribunal’s finding that whenever s. 35 is under consideration, public authorities and the IC must consider whether s. 35(4) applies and if so what affect it has on the public interest balancing test. This had not been done in this case.

As to the public interest, a crucial issue was (as is usual with s. 35 cases), when the policy formulation had come to an end. Answer in this case: the date of Royal Assent given to the bill embodying the policy, namely 30 March 2007. In this case, one of the internal reviews was only completed well after this date – but the Tribunal held that the latest relevant date for assessing the public interest was the date when the review ought to have been completed, in accordance with the Code of Practice. This was well before Royal Assent, meaning that the public interest factors applied as if the policy were still in the process of formulation.

In the event, apart from two pieces of information, the Tribunal found that the public interest favoured the maintenance of the exemption. In so doing, it “took the view that the efficacy of the Parliamentary legislative process took precedence in this context… Whilst s. 35 was not aimed directly at protecting the role of Parliament, insofar as Government policy in relation to legislation underpins this particular role of Parliament, they were intertwined”.

A final interesting point is that the Tribunal firmly endorsed the IC’s flexibility to decide that, although information should have been disclosed at the time, it nevertheless ought not to be disclosed due to fresh circumstances that have arisen since the decision of the public authority. In so doing, the Tribunal relied on obiter dicta from the High Court’s decision in Office of Government Commerce v Information Commissioner [2009] 3 W.L.R. 67 (at paragraph 98).